The Empire State is making waves in the world of privacy with the introduction of its own version of the now infamous California Consumer Privacy Act (CCPA). SB 567, which was introduced on January 6, 2021, is New York’s attempt to introduce new consumer rights with respect to personal information, as well as regulate the sale of consumer personal information to third parties. Notably, the Bill also introduces a private right of action for consumers who have suffered an injury in-fact.
What are the key provisions?
At a high-level, the Bill includes some provisions that are similar to the CCPA, however, unlike the CCPA the Bill focuses exclusively on the sale and disclosure of personal information. Specifically, the Bill:
- Introduces the concept of “sale” of personal information, though the Bill defines the concept differently than the CCPA, as: “(A) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for valuable consideration; or (B) sharing orally, in writing, or by electronic or other means, a consumer’s personal information with a third party, whether for valuable consideration” (i.e., adding the element of “valuable consideration” to at least some forms of information exchange). This concept is arguably broader than the CCPA’s definition of “sale”, which requires consideration in all cases.
- Gives consumers the right to request that a business which collects the consumer’s personal information disclose to the consumer the categories of personal information it has collected about the consumer (i.e., not only information collected from the consumer).
- Gives consumers the right to request that businesses selling personal information disclose both the categories of personal information the business disclosed or sold, and the identity of the third parties to whom the personal information was disclosed or sold.
- Gives consumers the right to opt-out of the sale of their personal information, and includes a requirement that the business generate an identifier for a consumer who has “opted out” to alert third parties that the consumer has opted out of the sale of such sale.
- Prohibits businesses from discriminating against a consumer because the consumer directed the business not to sell the consumer’s personal information.
What about the expanded private right of action?
Importantly, the Bill also creates a private right of action, deeming a consumer to have suffered an “injury in fact” by virtue of the statutory violation alone, and essentially waiving the requirement to establish a concrete and particularized injury to bring suit. As a practical matter, this allows a consumer who falls victim to a violation to recover statutory damages – to the tune of $1,000 for each violation – even if they have not suffered any loss of money or property as a result of the violation. Violations deemed “knowing and willful” will recover up to $3,000 in statutory penalties a piece, or actual damages, whichever is greater. The Bill does not, however, allow for the recovery of attorneys’ fees. Unlike under the CCPA, this private right of action is not limited to breaches of sensitive personal information, but rather applies to all violations of the law.
This facet of the Bill risks inciting a new wave of consumer privacy class actions over alleged violations, in addition to opening the door to claims from vendors and competitors.